Improving WordPress Security

Can WordPress Be Hacked?

There’s an old saying that the only secure computer is a switched off computer. Particularly a computer that is attached to a network such as the internet. With that in mind, the answer to the question is definitely yes, WordPress can be hacked.

In fact, it happened to me at the beginning of the year. I have over 10 years of WordPress experience and a silly mistake left me vulnerable. So I have some experience of what it’s like to have your WordPress site hacked and figured out the hard way how to improve WordPress security for your website.

What Are The Problems With A Hacked WordPress Site?

WordPress hacks come in all sorts of different flavours. Many are simple advert injection scripts which as the name implies place unauthorized advertisements onto your web pages. This means that the hacker gets paid whenever someone visits your site. There’s a few reasons why this is bad for your site. Firstly that’s money you could be earning instead of the hacker. Secondly the adverts might not match your branding and could cost you viewers. Thirdly, you never really know if something more nefarious is also going on.

Some hacks install JavaScript which can use up resources of your viewers computers. Some of the more recent JavaScript hacks have in fact installed Cryptocurrency miners into people’s browsers. This again, makes money for the hacker at the expense of your users.

Your reputation with both your visitors and the big search engines such as Google and Bing will suffer. It is definitely a good idea to make sure you secure your WordPress website.

Ways To Prevent Your WordPress Site Being Hacked

Given how bad it is when your WordPress website gets hacked – and if you take no precautions it probably will – it’s a good idea to learn how best to secure it. Here’s some quick tips to reduce your risk of getting your site hacked.

Choose a Non Standard Administrator Login Name

Most hacks are not performed by people sitting at their computer trying to get in to your site. Unless you’re some massive name in the industry with something worth all that time and effort to steal. But, there is an army of ‘bots’ out there attacking random sites with multiple attack vectors. A bot is a script running on a computer somewhere else, probing different websites for vulnerabilities. If your website has a standard administrator username it makes it so much easier for the bot to try to guess your password.

Many standard website hosting control panels these days will automatically create more secure administrator login accounts for you. If you’re using a control panel that does this, we recommend getting yourself a good, easy to use Password Manager such as RememBear so that you can save the username and password securely. A good password manager will reduce your temptation to use the same username everywhere and reduce the likelihood of you setting up an easy to guess password.

Choose A Difficult Password

So many of us use the same password for multiple different sites. We think that because it’s hard to guess it must be OK. But the reality is that if any one of those sites is cracked it makes our other sites much more vulnerable. A cracker will attempt to use this discovered password before they try any other – and in doing so they’ll potentially gain access everywhere else too. A good password manager can prevent this by remembering your passwords for you and setting very difficult passwords in the first place.

A difficult password is important because, at least when it comes to WordPress, the only way to access your password is to guess it. If your password is easy, the cracker will just keep throwing wrong guesses at your login page until they get in. Obviously a short password made up of only letters will take a lot less ‘brute force’ to get into than a really long one with letters, numbers and special characters.

Because they’re so much harder to remember though, we recommend getting yourself a password manager such as RememBear (which is the one we use) to remember them all for you. The password manager will also prefill any login boxes for you. RememBear comes on Windows, Mac, Android and iOS. One subscription works for all devices you have.

Keep WordPress Core, Themes And Plugins Up To Date

WordPress Updates To Keep Your WordPress Secure
Check The Updates Screen Regularly To Keep Your WordPress Secure

This one is extremely important too. New vulnerabilities are found in WordPress regularly. These vulnerabilities are patched quickly by the WordPress core developers. But in order to be applied to your website you need to make sure you’re set up to receive them.

You can have WordPress auto-upgrade itself for you if it’s upgrading security issues. Major upgrades will require you to manually upgrade. To do this just login to your WordPress dashboard. You’ll see an Updates option underneath the Dashboard option in the lefthand menu bar. If there’s a number in red beside it, you have updates to apply.

Keeping your themes and plugins up to date is perhaps even more important. Many many website intrusions have come through out of date (or no longer updated) themes and plugins.

Choose The Right Hosting Package

Unless you’re a seasoned Linux or Windows administrator you should definitely not try to run your own server for hosting your website. Well, unless you can afford to employ seasoned Linux or Windows administrators that is. In which case you’re probably not going to need to be reading this post 🙂

For everyone else – a shared hosting solution is probably the best option. The reason for this is that, although shared hosting can have its own set of problems which I’ll go into a bit later, the biggest thing that they have going for them is that you do not need to concern yourself with the security of the machine itself.

On shared hosting, the hosting provider will operate the machine itself on which your site runs. You won’t need to concern yourself with securing it as they’ll do all that. You still need to secure your specific WordPress installation using the tips in this guide. But any server patches and things will be taken care of.

Another type of hosting package is a Virtual Private Server (VPS). In this scenario you will need to keep the security of the server up to date. Doing this is beyond the scope of this document and we’d recommend shared hosting in most cases anyway.

We use SiteGround for our website hosting. It’s been solid and their tech support have been excellent. We highly recommend them. InMotion Hosting are also an excellent choice who also provide superb technical support. There’s hundreds if not thousands of WordPress hosts out there. We’ve just found those two to be the easiest.

Install A WordPress Security Plugin

There’s plenty of plugins around that claim to improve security of a WordPress installation. In our view however there’s really only two that are well recognised by the industry and we’ll go through them here.

WordFence: The Best WordPress Security Plugin

WordFence is by far our favourite. It is comprehensive in it’s approach. It’s free – though does have a Premium version. It’s available from the WordPress plugin repository.

Installing WordFence

Installation is really easy. Just navigate to the Plugins menu using the left hand sidebar. Choose Add New and you can then type Wordfence into the Search Plugins box. This will bring up Wordfence and a few additional utilities available for Wordfence. I also install the Wordfence Login Security plugin because it gives some really handy additional tools that I’ll go into later. The screen shot below gives you an idea of where to look.

WordFence WordPress Security Plugin Installation Screen on WordPress
WordFence WordPress Security Plugin Installation Screen on WordPress

Once the plugin is downloaded and installed, click the Activate button. This will, strangely enough, activate the plugin. Once activated you can begin to configure Wordfence. There’s not much to do with it, but there’s some little bits that are worth investing the time in to help bolster your security.

Setup Notification Address In WordFence

The first step to address after installing WordFence is to tell it where to send any e-mail notifications if it finds anything wrong. This is quite important. You will get various messages from it but they’re all worth getting so put in an e-mail address you regularly check or one that will notify you on your phone when it receives messages. WordFence will use this address to tell you when things are wrong on your site, or if it thinks someone is trying to break in.

WordFence Initial Setup Screen
WordFence Initial Setup Screen

Whilst it’s not essential to get the plugin to work, if this is your first time using WordFence it can be worth signing up for their security mailing list too. In this way you’ll be notified whenever there’s an industry wide security problem with WordPress. I’ve joined the mailing list and it isn’t spammy. I get maybe one e-mail a week or so.

Once you’ve entered the details on that screen shown above and ticked the box to accept the terms and conditions you’ll be presented with another screen that asks you to enter your Premium Key. If you have bought the premium version of WordFence then this is where you enter the key you’ll have been sent. If you are on the free version you can just press No Thanks to proceed.

Finish The Setup

Once you’ve done that you’ll be taken back to the WordPress plugins screen. To continue setting up WordFence, click the Wordfence link on the left hand toolbar. The first time you do this you’ll see the screen below;

You should first enable auto-updates. You don’t have to do this of course but we do recommend it as it’ll keep your WordFence up to date. Then click the Click Here To Configure button. If you don’t do this your Wordfence installation will not be fully setup and protecting you.

Wordfence Initial Setup Screen
Wordfence Initial Setup Screen

Clicking the button will open up another screen which asks you to download your .htaccess file. Once the file is downloaded you can click Continue. You may not see the same contents as on this screenshot below as it depends on your webhost configuration. It’s fairly likely to be the same, but if it’s not don’t panic.

The .htaccess file it talks about is a special control file used by the Apache webserver which your host is probably using if Wordfence has detected this. Wordfence will automatically modify this file (if it can) to improve the security of your site.

Wordfence Download .HtAccess File

Adjusting The Brute Force Protection

I find the default settings for the Brute Force Protection offered by Wordfence are way too lax. The defaults allow 20 erroneous logins in a 4 hour period before they’ll lock out that computer. Whilst, to be fair, it’s unlikely anyone would guess your password after just 20 attempts I think that if they have more than 3 attempts then they’re just guessing.

Wordfence Brute Force screen - the things I change
Wordfence Brute Force screen – the things I change

Remember earlier we said the easier your password was to guess then the more likely it was that someone would get in? This is where we make it just that little bit harder for them to get in. Having a strong password and this brute force protection means that an automated script can’t just hammer your login page repeatedly until it gets the right password.

I set the limit to 3 because some hack attempts will come from multiple computers. This means that each computer trying to guess your password has 20 attempts by default before it gets locked out. I wind that back to a mere 3. If it’s you trying to get in the chances are that you’ll a) have saved your password into something like RememBear anyway or b) will remember what it was after the second attempt or at least the third.

Finally I add ‘admin’ to the list of usernames that are immediately locked out. I never use the name ‘admin’ but some scripts will try to login with this username first of all as many vulnerable sites still use this as the main admin account name. Anyone trying to login as this username is dodgy and should be blocked.

General Wordfence Settings To Improve WordPress Security

Once I’ve set up the things above, I navigate to the Wordfence All Options screen as shown below. Then, under General Wordfence Settings I make sure that the WordPress version is suppressed from the web pages it generates. This can help reduce the likelihood of being exploited by bugs in certain versions of WordPress. This is relatively minor as a script is more likely just to try anyway without bothering to read which version of WordPress I’m running – but it won’t hurt to have it removed.

Then, and crucially, I disable code execution for the Uploads directory. There’s potentially a number of ways an unauthenticated user could upload malicious scripts to your uploads directory and then run them. If someone can run a script they uploaded onto your server they can potentially read your wp-config file which contains database passwords and usernames. Given that, they can then add their own administrative user and login using that. All your Login Security is for nothing if someone manages to get a file onto the Uploads directory and then execute it. So, disable it.

This May Break Plugins Though

Some plugins may break if they can’t run code from the Uploads directory. In general I think these plugins are best avoided. I’ve not had any problems but I have heard of issues from other people. If you have any experience of plugins that break after activating this particular setting I’d be interested to hear it in the comments below.

Incidentally, earlier in this post I stated that I had recently had a WordPress hacked. The uploads directory was the attack vector they used to upload a dodgy script which then searched through all my files, altered relevant ones to include inappropriate advertising redirects and hid itself as best it could. Unfortunately for me, I was on holiday at the time and didn’t notice for a few days…. That’s a few days that Google had to notice and blacklist my sites. It wasn’t good. Disabling execution from the Uploads directory would have stopped this one dead in its tracks. That’s why I do it now 🙂

Wordfence Login Security Plugin

When I talked about the initial installation of Wordfence previously in the article I said I installed the Wordfence Login Security Plugin as well. This extra little helper plugin adds a few very exciting free options to improve the security of your WordPress installation.

2 Factor Authentication

If you’re really keen to ensure that no-one except you can get into your WordPress administration screens then you can set up 2 Factor Authentication. I have done this with a number of my sites including this one.

2 Factor Authentication is a posh way of saying that you need something more than just a password to get in. You need a once off token as well. The token will be provided on a 2FA application usually installed on your mobile, or via an SMS message sent to your phone. Your bank may well use something like this already. Well now you can have this kind of security on your WordPress website thanks to Wordfence.

I use the Google Authenticator application on my phone to provide the one time codes to enable me to login. Before attempting to set up 2FA in Wordfence you’ll need to install that app. You’ll need to scan a code that Wordfence produces in order to make it all work.

Having installed the Google Authenticator app on your phone, click Login Security from the left hand tool panel on WordPress underneath the Wordfence settings.

Wordfence 2FA Setup
Wordfence 2FA Setup

Wordfence gives really good setup instructions for how to set up the initial 2 Factor Authentication system, so follow the prompts for your particular 2FA application. Once you have 2FA set up on your device (ie, your mobile or tablet) you need to enable it for your particular account. 2FA will not be enabled by default and you should set it to be required for every person who has administrative permissions on your site.

Switch Off XML-RPC

Finally, I also switch off XML-RPC authentication. This is a rather well known ‘password guessing’ route that some bots take because it tends to remain hidden from the average administrator’s radar. XML-RPC will always be in the same place – whereas the login screen can be moved to help reduce spam and automated attacks. So I switch this off

Google ReCaptcha V3

Finally, for WordPress security I enable the Google ReCaptcha V3 options of Wordfence. This neat little trick prevents systems that don’t behave like a human from being able to login or sign up to your blog. This can reduce brute force attacks and reduce spammy accounts being created on your server. I’m not entirely sure how the system actually functions – but basically every access to your login page is given a score from 0.0 to 1.0 which is a confidence score. The score is how confident Google is that the access attempt has come from a human. A score of 0.0 means there’s no way it was a human, and 1.0 was definitely a human.

You can set the threshold you believe works best for your userbase to be able to gain access without any hindrance but whilst blocking likely robots. I use 0.8 on my sites and as yet it hasn’t blocked any access for me but has blocked plenty of bots.

ReCaptcha v3 screen in Wordfence
ReCaptcha v3 screen in Wordfence

Sucuri: The Second Best WordPress Security Plugin

Sucuri Web Application Firewall is another excellent firewall and security system for WordPress. Personally I prefer Wordfence but a lot of people swear by Sucuri so I include it here in case you want to check it out.

As usual there is a free version available from the standard WordPress plugin installation screen. If you want additional features there is a premium version available. I’ll leave it to you to decide if you need them or not. To install, just go to the WordPress Plugins screen and choose Add New at the top of the screen.

Install and activate Sucuri Security plugin for WordPress
Install and activate Sucuri Security plugin for WordPress

Once you have installed and activated the plugin, navigate using the left hand dash panel to Sucuri Security -> Dashboard as shown in the screenshot below. In the screenshot below you’ll notice that Sucuri has already scanned my site before I had a chance to get to that screen. It’s found some files it doesn’t like there.

Sucuri Dashboard showing problematic files

In this case the two highlighted with red arrows are just files left hanging around from when I had Wordfence installed for this tutorial. The other file is Default.html which is included by SiteGround’s website installation process. These can simply be marked as fixed.

Sucuri Is An Excellent Scanner

Having done that, Sucuri rechecks my site and declares it is clean.

This wasn’t the case when my site had been hacked. A number of these were red and I had a big cleanup project on my hands.

The next step is to apply some hardening to your WordPress site. To do this, choose the Settings button at the top of the Sucuri screen. Then choose the Hardening tab.

Items that are already hardened will show in green. Items that need your attention will be marked in red.

The key things in this screen will be the blocking of running scripts in the Uploads directory. Sucuri also allows you to protect the Includes and WP-Content directory. These are legitimate attack vectors too and it would be nice if Wordfence provided a convenient way to block these 2 extra directories.

Sucuri is definitely setup more to be a scanner than a protector though. I think in general, the free version of Sucuri assumes that you will secure your website manually in the main. Wordfence by contrast helps you secure your site automatically.

Sucuri Alerts

Sucuri will e-mail you to tell you that a new post has been added or deleted or modified. It will also e-mail you to tell you if plugins are activated or deactivated. New users will generate an e-mail to you from Sucuri etc. You can expect to get a lot of e-mail from Sucuri if you’ve a fairly active site.

You can decide which alerts you want to be sent and how often under the Alerts tab on the Settings screen. There’s too many options in there for me to list them all in this article but if you’re playing with Sucuri and don’t need to see as many alerts, that’s where to find them.

!! Install a Backup Solution – IMPORTANT !!

This is your backstop solution if everything else fails. A good backup solution will enable you to recover your site to pre-hacked status. And it may be the only that can do that too. Some hacks just get themselves so entangled in everything that it’s too hard to get rid of them.

Server Host Provided Backups

Some hosts will provide backup solutions as part of the package. SiteGround certainly do. With SiteGround a daily backup is free, with 30 days of backups saved. This means you have 30 days to discover your hack before you can’t go back. Hopefully you don’t get hacked in the first place, but if you do, you better be onto it quickly. 30 days will destroy any Google rankings your site might have because if there’s malware on your site Google will blacklist you.

Advantages of Host Provided Backups

  • Usually an easy restore process
  • Host provider will often help restore if you get stuck
  • Quick restore process, since no files need uploading from you to host
  • Very cost effective if included in hosting price as it is with SiteGround for example
  • Unlikely to count towards any traffic quota

Disadvantages of Host Provided Backups

  • Probably not offsite backup – so won’t protect against disaster such as flooding or earthquake
  • Likely to be proprietary format – so no use for switching hosts
  • If hack is against host network they could be down, meaning you can’t get to your backup at all. If your host is down you cannot bring up a new copy of your website somewhere else while you ride out the storm
  • Restricted backup schedule. May be daily, weekly or only monthly depending on the host

Private Backup Arrangements

Given the statements above, my recommendation is this;

If your host has free backups available, take advantage of them. In the main they’ll probably save your skin if you get hacked and they’re likely to be quicker to restore in most cases. However, if you can afford it (and can you really afford not to!?) you should look at a second backup solution for your hard work.

Updraft Plus

UpdraftPlus is an excellent backup tool for WordPress and I use it here. With UpdraftPlus you can backup your website to Google Drive, FTP, S3 storage and a whole plethora of other locations. A free version is available with a limited number of backup destinations and limited times that backups will take place.

The premium version allows multiple backup destinations, more backup destinations too and different time schedules for backing up.

I keep 14 days of backup on Google Drive using UpdraftPlus alongside my SiteGround backups. I’ll write a more extensive article on UpdraftPlus in due course, detailing how to install and use it. More information is available from the UpdraftPlus website though.

Install SSL

This is particularly important if you ever access your WordPress administration screens using a WiFi network in a cafe or some other public WiFi. The problem with public WiFi is that anyone can snoop on your communication and without an SSL enabled WordPress website your password will be sent in plain-text to the server for authentication. Anyone can see that if they’re on the same WiFi network and know how.

SSL (Secure Sockets Layer to be technical) stops that by encrypting your connection from your machine to the WordPress host server. Anyone eavesdropping on a public WiFi network will see encrypted traffic that’s very difficult for them to decrypt.

Historically applying SSL to a website was prohibitively expensive for the average punter. But with the introduction of the Let’s Encrypt Group the cost has fallen to zero. If you want to do eCommerce or anything whereby your websites identity is verified you’ll still need a paid for SSL certificate as there’s very limited authentication with Let’s Encrypt. It’s only there to encrypt the connection with the free solution.

Google also has stated that it plans to lower the rankings of websites that are not SSL secured. This means if you’re still not using Let’s Encrypt on your website you’re likely to lose Google position ranking to other sites instead.

Let’s Encrypt SSL certificates can generally be installed on most web hosting services these days. Again, they certainly can be on SiteGround and they were easy to install on InMotion Hosting too. Pretty much any host that uses any variant of cPanel will be able to provide Let’s Encrypt SSL certificates. There’s no excuse 🙂

Fixing A Hacked WordPress Website

This is a complicated topic and depends to a large extent on how competent you are with things like FTP, SSH and your backup regime (you do have backups don’t you?). It’s also a very long topic and this article is already over 4000 words. I’ll come up with another post outlining the best ways to recover from a hacked WordPress website.

Thanks for reading and if you’ve any questions or comments please don’t hesitate to leave them for us below. We look forward to hearing from you!

Similar Posts

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.